On Feb 23, 2017, at 10:06 PM, Mirimir <[1]mirimir@riseup.net> wrote:

   So tptacek's comment summarizes it well:
   | Oh, my god.
   |
   | Read the whole event log.
   |
   | If you were behind Cloudflare and it was proxying sensitive data
   | (the contents of HTTP POSTs, &c), they've potentially been spraying
   | it into caches all across the Internet; it was so bad that Tavis
   | found it by accident just looking through Google search results.
   |
   | The crazy thing here is that the Project Zero people were joking
   | last night about a disclosure that was going to keep everyone at
   | work late today. And, this morning, Google announced the SHA-1
   | collision, which everyone (including the insiders who leaked that
   | the SHA-1 collision was coming) thought was the big announcement.
   |
   | Nope. A SHA-1 collision, it turns out, is the minor security news
   | of the day.
   |
   | This is approximately as bad as it ever gets. A significant number
   | of companies probably need to compose customer notifications; it's,
   | at this point, very difficult to rule out unauthorized disclosure
   | of anything that traversed Cloudflare.
   [2]https://news.ycombinator.com/item?id=13718752

   Holy shit!

   Ars has a write up

   [3]https://arstechnica.com/security/2017/02/serious-cloudflare-bug-expo
   sed-a-potpourri-of-secret-customer-data/

References

   1. mailto:mirimir@riseup.net
   2. https://news.ycombinator.com/item?id=13718752
   3. https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/